Message ID | 20210812063333.73171-1-sriharsha.basavapatna@broadcom.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v2] dynamic-string: fix a crash in ds_clone() | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
On 8/12/21 8:33 AM, Sriharsha Basavapatna via dev wrote: > In netdev_offload_dpdk_flow_create() when an offload request fails, > dump_flow() is called to log a warning message. The 's_tnl' string > in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally > via ds_put_format(). If it is not initialized, it crashes later in > dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string. > > To fix this, check if memory for the src string has been allocated, > before copying it to the dst string. > > Fixes: fa44a4a3ff7b ("ovn-controller: Persist desired conntrack groups.") > Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> > > --- > > v1->v2: fix ds_clone(); ds_cstr() not needed in callers. Thanks! This version looks good to me. I'd add a few more generic words to the commit message, so it will be easier to understand the change on older branches, but I can do that before applying the patch. There supposed to be a separate patch for correct initialization of s_tnl in the lib/netdev-offload-dpdk.c, as Gaetan suggested. We need to initialize them with DS_EMPTY_INITIALIZER. Though it will not be different from the actual memory initialization point of view, it's a more correct way to work with dynamic string. Something like this: @@ -1324,7 +1325,11 @@ netdev_offload_dpdk_mark_rss(struct flow_patterns *patterns, struct netdev *netdev, uint32_t flow_mark) { - struct flow_actions actions = { .actions = NULL, .cnt = 0 }; + struct flow_actions actions = { + .actions = NULL, + .cnt = 0, + .s_tnl = DS_EMPTY_INITIALIZER, + }; const struct rte_flow_attr flow_attr = { .group = 0, .priority = 0, --- And the same for other initializations of 'struct flow_actions' and 'struct flow_patterns'. I also noticed that free_flow_patterns() doesn't destroy the s_tnl, i.e. leaks it. This can be fixed in the same patch along with correct initialization. Could you prepare this kind of patch? Best regards, Ilya Maximets.
On Fri, Aug 13, 2021 at 4:07 AM Ilya Maximets <i.maximets@ovn.org> wrote: > > On 8/12/21 8:33 AM, Sriharsha Basavapatna via dev wrote: > > In netdev_offload_dpdk_flow_create() when an offload request fails, > > dump_flow() is called to log a warning message. The 's_tnl' string > > in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally > > via ds_put_format(). If it is not initialized, it crashes later in > > dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string. > > > > To fix this, check if memory for the src string has been allocated, > > before copying it to the dst string. > > > > Fixes: fa44a4a3ff7b ("ovn-controller: Persist desired conntrack groups.") > > Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> > > > > --- > > > > v1->v2: fix ds_clone(); ds_cstr() not needed in callers. > > Thanks! This version looks good to me. I'd add a few more generic > words to the commit message, so it will be easier to understand the > change on older branches, but I can do that before applying the patch. Yes, please feel free to update the commit message, thanks ! > > There supposed to be a separate patch for correct initialization of > s_tnl in the lib/netdev-offload-dpdk.c, as Gaetan suggested. We need > to initialize them with DS_EMPTY_INITIALIZER. Though it will not be > different from the actual memory initialization point of view, it's > a more correct way to work with dynamic string. Something like this: > > @@ -1324,7 +1325,11 @@ netdev_offload_dpdk_mark_rss(struct flow_patterns *patterns, > struct netdev *netdev, > uint32_t flow_mark) > { > - struct flow_actions actions = { .actions = NULL, .cnt = 0 }; > + struct flow_actions actions = { > + .actions = NULL, > + .cnt = 0, > + .s_tnl = DS_EMPTY_INITIALIZER, > + }; > const struct rte_flow_attr flow_attr = { > .group = 0, > .priority = 0, > --- > > And the same for other initializations of 'struct flow_actions' and > 'struct flow_patterns'. I also noticed that free_flow_patterns() > doesn't destroy the s_tnl, i.e. leaks it. This can be fixed in the > same patch along with correct initialization. > > Could you prepare this kind of patch? Sure, I'll send out a separate patch for this. Thanks, -Harsha > > Best regards, Ilya Maximets.
On 8/13/21 4:39 AM, Sriharsha Basavapatna via dev wrote: > On Fri, Aug 13, 2021 at 4:07 AM Ilya Maximets <i.maximets@ovn.org> wrote: >> >> On 8/12/21 8:33 AM, Sriharsha Basavapatna via dev wrote: >>> In netdev_offload_dpdk_flow_create() when an offload request fails, >>> dump_flow() is called to log a warning message. The 's_tnl' string >>> in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally >>> via ds_put_format(). If it is not initialized, it crashes later in >>> dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string. >>> >>> To fix this, check if memory for the src string has been allocated, >>> before copying it to the dst string. >>> >>> Fixes: fa44a4a3ff7b ("ovn-controller: Persist desired conntrack groups.") >>> Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> >>> >>> --- >>> >>> v1->v2: fix ds_clone(); ds_cstr() not needed in callers. >> >> Thanks! This version looks good to me. I'd add a few more generic >> words to the commit message, so it will be easier to understand the >> change on older branches, but I can do that before applying the patch. > > Yes, please feel free to update the commit message, thanks ! Thanks! Applied to master and backported down to 2.12. Best regards, Ilya Maximets.
diff --git a/lib/dynamic-string.c b/lib/dynamic-string.c index 6f7b610a9..fd0127ed1 100644 --- a/lib/dynamic-string.c +++ b/lib/dynamic-string.c @@ -460,6 +460,10 @@ ds_chomp(struct ds *ds, int c) void ds_clone(struct ds *dst, struct ds *source) { + if (!source->allocated) { + ds_init(dst); + return; + } dst->length = source->length; dst->allocated = dst->length; dst->string = xmalloc(dst->allocated + 1);
In netdev_offload_dpdk_flow_create() when an offload request fails, dump_flow() is called to log a warning message. The 's_tnl' string in flow_patterns gets initialized in vport_to_rte_tunnel() conditionally via ds_put_format(). If it is not initialized, it crashes later in dump_flow_attr()->ds_clone()->memcpy() while dereferencing this string. To fix this, check if memory for the src string has been allocated, before copying it to the dst string. Fixes: fa44a4a3ff7b ("ovn-controller: Persist desired conntrack groups.") Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> --- v1->v2: fix ds_clone(); ds_cstr() not needed in callers. --- lib/dynamic-string.c | 4 ++++ 1 file changed, 4 insertions(+)